I’ve been working furiously on some Citrix XenApp stuff recently on shiny new Server 2016 boxes. Yesterday was a productive day and all was well. With it also being Patch Tuesday and my machines part of the Patient Zero Device Collection targeted for updates I received May’s patches last night/this morning.
Today, when I attempted to RDP into Server 2016 boxes I received the following error:
Remote Desktop Connection
An authentication error has occurred.
The function requested is not supported
Remote computer: <remote computer>
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660
This is intentional and I urge you to direct your attention to the URL in the message: https://go.microsoft.com/fwlink/?linkid=866660
Cliff’s Notes version of the cause from the article:
- The initial March 13, 2018, release updated the CredSSP authentication protocol but did NOT enforce the new version of the CredSSP protocol.
- The April 17, 2018, Remote Desktop Client (RDP) update in KB 4093120 enhances the error message that is presented when an updated client fails to connect to a server that has not been updated.
- The May 8, 2018, update makes the new updates CredSSP protocol mandatory.
This intentional change adjusts the default setting from ‘Vulnerable’ to ‘Mitigated’.
In reviewing the interoperability matrix there are only a few blocked scenarios:
- Server Patched ‘Force updated clients’ + Clients Unpatched = Blocked
- Server Unpatched + Clients Patched ‘Force updated clients’ = Blocked
- Server Unpatched + Clients Patched ‘Mitigated’ = Blocked
Well I know my client is patched so that rules out Scenario 1, making it clear our Server 2016 servers are missing KB 4103723.
Solution: Patch your servers!
This is not a solution. It’s a fake solution or as I like to call them faux-lutions.
So is there a workaround? Sure. So in my particular scenario, I would set the patched client(s) to ‘Vulnerable’ which means that I would then be exposing remote servers to attacks by supporting fallback to insecure versions.
Arguments can be made either way to justify this but I don’t think its wise:
- It negatively affects our security posture
- I’m human thus prone to forgetting things and then I’ll never undo it.
I’d rather submit an emergency change request to patch the servers.
In fact, Microsoft’s recommendation is to set AllowEncryptionOracle on clients and server computers as soon as possible to one of the following:
- Force updated clients = 0
- Mitigated = 1
But if you want to go down this slippery slope at your own risk, set on your patched client(s), set AllowEncryptionOracle to 2 and you’ll be able to connect to your unpatched server(s):
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /v AllowEncryptionOracle /d 2 /t reg_dword
The documentation states a reboot is required but in testing, a reboot is not required.
- CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability
- Windows 10 1803 May 8, 2018—KB4103721 (OS Build 17134.48)
- Windows 10 1709 May 8, 2018—KB4103727 (OS Build 16299.431)
- Windows 10 1703 May 8, 2018—KB4103731 (OS Build 15063.1088)
- Windows 10 1607 & Server 2016 May 8, 2018—KB4103723 (OS Build 14393.2248)
Whatever route you take, I bid you Good Providence!